Link List

Sponsored by..

Wednesday, 23 April 2014

"Broad Oak Toiletries Ltd" fake invoice spam

UPDATE 2014-05-06: there is a new version of this with a malicious .PDF attachment, please scroll down for more details.

This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)

CONFIDENTIALITY:
The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

The attachment is Invoice 493234 March 2014.zip which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.

UPDATE 2014-05-06:
A new version of this is circulating with a malicious .PDF attachment April invoice 914254.pdf although this time the body text is "Please can you let me have a payment date for the attached April Invoice?" and subject is "Invoice 396038 April". Email addresses spotted so far include

The VirusTotal detection rate for this is 7/51. Automated analysis is somewhat inconclusive. There are some indications that this might be using an Acrobat flaw CVE-2010-0188 which was patched a long time ago, so if have an up-to-date version of Acrobat Reader you may be protected. Also, if you opened the email in Gmail and used Google's PDF viewer you should be OK too.

Remember though that .PDF files and other document types can also spread malware, so exercise caution when dealing with emails from unknown sources.

UPDATE 2014-05-06 II:
A contact analysed the PDF (thanks) and determined that it then downloaded an executable from [donotclick]dr-gottlob-institut.de/11.exe (I guess "11" is a Spinal Tap reference) which has a VirusTotal detection rate of just 4/51.

Automated analysis tools [1] [2] [3] show that this in turn downloads components from the following locations:

This is very similar to the previous infection, although this time "11" has been dialed up to "111". This file (111.exe) has a VirusTotal detection rate of only 2/52 which does various bad things [1][2][3].

This has a VirusTotal detection rate of just 1/51 which makes it almost invisible. Automated analysis [1][2][3][4] shows that it creates fake svchost.exe and csrss.exe, and sends a DNS query for smtp.gmail.com among other things.

Payload appears to be Gameover / P2P Zeus.

(btw, thanks to the #MalwareMustDie team for help!)

UPDATE 2014-05-12:
Another spam run is in progress, with yet another malicious PDF attachment, this time with a VirusTotal detection rate of 8/50.

The PDF downloads a file from:[donotclick]infodream.eu/images/1.exe
..which has a VirusTotal detection rate of just 3/52. The Malwr analysis shows an attempted download from:

Out of these only the first download appears to be working, the binary has a detection rate of 27/52. Automated analysis of this binary [1][2][3] shows that it attempts to connect to various legitimate services plus these suspect IPs in Russia:
217.174.105.92
93.171.173.34
91.221.36.184
37.143.15.103
146.255.194.173

Indeed, spoofing the sender address is very simple and claiming in the body of the email that it comes from any company is obviously trivial. Scammers do this sort of thing all the time and could do it to any business. Broad Oak are powerless and unwitting victims. It's entirely up to the recipients to recognise it for what it is.

We have received a few of these messages today (never any before). All claiming to be from smockridges2@Broad-oak.co.uk except one that claims to be from overplayedjf935@gmail.com

I wonder if it's some sort of revenge attack against Broak Oak from some person disgruntled for some reason. Either way, they have my sympathy. They are probably inundated with people complaining at them through no fault of their own.

Spoofing emails? Faking the email address is actually a feature in away.

Email was NOT designed to be secure both ways. You can send a email to any email address with any data and it will accept it. The only person who can get that info is the server, not the outside world.

Past that, there is no security to make sure the sender is actually the sender.

My point was, that if they are hosting a web site on the end of a DSL line, they are probably doing it themselves as no professional IT company would do that. It's reasonable to assume that it's probably an amateur job so the web server got compromised and data got stolen giving the hacker a list of email addresses etc. The email I got came from a server in Poland, not from their server on a DSL line.

@Bucks: hmm... but I don't see it on an ADSL line at all. broadoaktoiletries.com is hosted by Webfusion, broad-oak.co.uk by Onyx. I've never dealt with them, I don't believe that they have been compromised.. but the mail is engineered to make it look like it is from Broad Oak. Certainly someone somewhere may have been hacked though.

@Freshwinds: I've seen quite a lot of similar emails that seem to pick a company at random. In some cases it looks like the email template has been stolen from a hacked email account (but not necessarily the company being spoofed). Most likely the perps are in Russia or Ukraine.

I see the site is back up and I can now see it's running IIS6 so it's probably server 2003.

By checking through other means I've determined that they are running Server 2003 Enterprise Edition.

An unusual OS to be running a web server on at the end of a DSL line. If you can afford Enterprise, you should be able to stretch to proper connectivity or hosting.

Just a supposition, but if you are doing it on the cheap and don't have skills in Linux, then a Volume License copy of Windows server is easy to come by......

I noticed some other things about this that I won't publish here as it will impact on their already poor setup and security, I'm just saying and not accusing anyone and this is my personal opinion but the whole setup looks very odd/poor/amateur.

If you look a bit deeper you'll find out the name of the company actually hosting this site and a few others....

I received one to the email address I'd registered uniquely with Whitechapel Gallery, and have received other spam to that same address, so guessing the source was a security breach at the Whitechapel.

AFAIK spoofing the Broad Oak address is a different issue from harvesting the addresses in the first place.

HiI too got this email, and stupidly opened the PDF? Adobe Reader program opened and said the file could not be opened. I have run spybot and mcafee and both have not shown any malware. Does this mean i have not been infected or is there a better program to use to check?Nothing has gone funny on the PC yet?please help!!

@Jim: I too attempted to open the file. Some of the messages appear to be fake as I got one referring to an Adobe program even when I used another program to open the PDF.

After 3½ hours I'm just now finished scanning my C drive with the free download of F-Prot - one of half a dozen antivirus programs that report the PDF file in the email as harmful (as found here: https://www.virustotal.com/uk/file/28324b810f079b1e46cce41a7931864094852f6c413741e913a0dbe3a769646d/analysis/ ).

F-Prot has not found anything apart from the PDF itself which I had saved to my hard drive for testing.

Some have suggested that perhaps older versions of Adobe might have been vulnerable.http://myonlinesecurity.co.uk/invoice-951266-fake-pdf-malware/

It would be interesting to know (in plain English) what the PDF in the current version of this email actually attempts to do. Set off some kind of JavaScript, I think, but to do what, I don't know.

I have been getting these emails for months almost a year on and off. All to an email address I have not used since last September.

I use Mailwasher 6.51 to view and filter all my emails including the address I no longer use, which BTW is for a website design business I sold, so I know without thinking I never buy toiletries through it.

I do not understand in this day and age why anyone gets caught out by this sort of SPAM, especially this one which is so obvious.

You might want to check with the F-Secure online scanner or MalwareBytes. Understand though that these products may to detect all the malware on your system, and you should run the test again in 24 and 48 hours and then again a few days after.

It might be prudent to switch your computer off and leave it for a bit if you think you are infected, that gives a chance for anti-virus vendors to catch up with today's malware.